Columbia University

Advertised Summary Job Description: Reporting to the Chief Information Security Officer of Columbia University Irving Medical Center (CUIMC) the Information Security Architect will be a senior technical individual contributor and act as a member of the information security leadership team. The Information Security Architect will have a significant impact on new initiatives, such as the rapid adoption of cloud platforms and infrastructure, and existing processes and security architecture, far into the future of the Medical Center. As this is a new position for CUIMC you will have the opportunity to shape the position and responsibilities as well.

Responsibilities include: driving CUIMC security technology strategy, and influence overall IT strategy, across the medical center: aligning standards, frameworks and security with overall business and technology strategy; creating solutions that balance business requirements, threat mitigation, and compliance requirements in an effort to provide effective, efficient, and appropriate risk mitigation; researching, evaluating, piloting and recommending new technologies for potential implementation, and existing technology for continued efficacy; working with the security leadership team to develop - and monitor the success of - the systems supporting the information security program (ex: network monitoring and response, log management/SIEM, advanced endpoint security, multi-factor authentication); providing security architecture and designing guidance for major IT initiatives from project inception to service roll-out (ex: Office365 implementation, enterprise VDI, AWS); understanding all the layers of CUIMC key systems, from layer 2 network to virtualized systems infrastructure to top level application stack as well as complex technical inter-dependencies, and understanding the implications and enterprise impact of system failure and key CUIMC data; understanding technology-dependent key business processes and the security issues that can occur from complex people and process interactions; keeping current on attack trends and security threats - technical, social, and any combination therein; prioritizing, escalating and communicating shifts in threat actors appropriately; keeping current on security architecture implications of relevant regulatory requirements (ex: HIPAA, PCI, New York State regs); reviewing and interpreting data use agreements, contracts and regulatory compliance documents, and be able to articulate their technical requirements and security risk implications; supporting Risk Management, Security Operations, and overall IT operations as a senior technical expert; contributing back out to the healthcare, higher education, and broader information security community; providing mentor-ship and coaching to technical security staff as time allows; all other duties as assigned.

General Minimum Qualifications: Requires a bachelor's degree or equivalent in education and experience, plus seven years of related experience.

Additional Specific Minimum Qualifications: Although not a data steward the Architect must know what our key data is, where it comes from, where it is going, and where our key risks are.

Excellent knowledge of core information security principles, their applicability, and common trade-offs. An ability to prioritize and judge those trade-offs within the context of an academic medical center and the strict operational requirements of providing world-class patient care.

Excellent critical and lateral thinking skills. Willingness and ability to perform in-depth research and pore over ? and critically assess ? any technology or process that comes to them. The architect must be absolutely unwilling to accept "I don't know how that works", "because that's the way it's always been done", or "that's how the government and 12 other schools do it" as justification for insecure system design. They must also be critical of security systems, vendors, and their peers, and be able to bust FUD (Fear, Uncertainty, and Doubt) whenever necessary.

Broad generalized technical background, and extensive understanding of a number of technical domains (ex: operating systems, networks, web applications, databases). Good understanding of secure systems design, and secure software development; network protocols and network design; most major operating systems with in-depth expertise of at least one.

Passion for understanding technology and experience doing so. The architect must be obsessed with understanding what makes things tick, preferably so they can figure out how to make them stop ticking and help design around discovered weaknesses. They must a data-driven, evidence-based decision zealot.

Excellent written and verbal communication skills, willingness and ability to debate complex security issues and defend positions with evidence.

Demonstrated ability to work in a fast-paced, deadline driven environment.

Ability to work with changing priorities and with multiple projects.

Ability to be precise and attentive to detail is essential.

Ability to work with minimal supervision.

Ability to work weekend and off-hour work on occasion.

Preferred Qualifications: A strong candidate should have some if not all of the following qualifications:

General understanding of different kinds of encryption, how they work, and which types of encryption are useful against various threat and compliance scenarios.

General understanding of fundamentals of identity and access management.

Good understanding of cloud technology overall, the different challenges of SaaS vs PaaS vs IaaS. Experience dealing with CASBs. In-depth knowledge of common SaaS providers and at least one IaaS provider preferred. Understanding of security advantages and risks of cloud computing.

Social Engineering (aka "people skills"). Ability to sit with front-line engineers for two weeks to tease out technical details, then turnaround and sit with executive management for two hours to abstract out key concepts from their findings.

Threat-based mindset and general belief that security systems exist primarily to protect the organization and community from malicious actors. This requires an understanding of common threats, attacker behavior and motivations, and general trends in the security threat landscape. Strategic thinking. Ability to envision a future architectural state that supports our goals and principles; realistically estimate the time, money, and effort it will take to achieve that state; and lead the effort to make those changes.

Risk-oriented mindset and good understanding of risk management. Understanding of risk quantification preferred but not required.

Presence in information sharing/trust communities ? public or private.

As a member of the National Collegiate Athletic Association (NCAA) and the Council of Ivy Group Presidents (Ivy League), it is imperative that members of the Columbia University community, in all matters related to the intercollegiate athletics program, exhibit the highest professional standards and ethical behavior with regard to adherence to NCAA, Conference, University, and Department of Intercollegiate Athletics and Physical Education rules and regulations.

Columbia University is an Equal Opportunity/Affirmative Action employer.

NOTES:

Relocation expenses are negotiable.

Internal Number: 126_173300

About Columbia University

Columbia University is one of the world's most important centers of research and at the same time a distinctive and distinguished learning environment for undergraduates and graduate students in many scholarly and professional fields. The University recognizes the importance of its location in New York City and seeks to link its research and teaching to the vast resources of a great metropolis. It seeks to attract a diverse and international faculty and student body, to support research and teaching on global issues, and to create academic relationships with many countries and regions. It expects all areas of the university to advance knowledge and learning at the highest level and to convey the products of its efforts to the world.